Using Windows Logon Banners with Symantec Endpoint Encryption 11 and Symantec Drive Encryption 10.4 clients

book

Article ID: 156184

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Symantec Drive Encryption and Symantec Endpoint Encryption clients allows a system to be fully encrypted using regular passphrase users, or Single Sign-On users (SSO).

If a Single Sign-On user is added to the disk, after the user authenticates the passphrase at the preboot authentication screen, the login credentials will automatically log users in to the Windows profile.
Windows Logon Banners will halt the login process, displaying a text screen to a user and will require clicking “OK” before allowing the user to login to the Windows User profile. If a user enters the passphrase at the preboot authentication screen, and walks away from the system, this could pose a potential security concern. Once the logon banner is displayed, the system will auto-login as soon as the OK button is clicked, even after an extended period of time. A scenario may arise, where a user enters the passphrase at preboot authentication screen and then walks away from the machine for a period of time. Any user could then click the OK button while the user is away and gain access to the User’s Windows profile.

Resolution

The recommended strategy when using Single Sign-On with Windows Logon banners, is to educate the user, to enter the passphrase at preboot authentication screen, and wait until the logon banner appears, then click “OK” to login to the Windows profile. If the user must walk away from the system, it is recommended the user first “Lock” the Windows User Profile (using the Windows Key + L) so that unauthorized persons will not gain access to the Windows Profile while they are away. Another method to lock the screen is to press CTRL+ALT+DEL and then click the option “Lock Computer/Lock this computer”.

If the above recommended strategy is not possible, the Symantec Drive Encryption 10.4 clients, the Auto Logon functionality can be disabled via a registry change.
For information on how to disable this registry change, please see article:

http://www.symantec.com/docs/HOWTO42010

For Symantec Endpoint Encryption 11 clients, it is important to educate the end users to click OK to the logon banner, and then lock the screen before walking away as there is no method to disable this functionality.